|
|
|
Law on denial-of-service attacks
After reading the heading above, most of you must have already started wondering what denial-of-service (DoS) is and how a law can be applied to this activity. In simpler terms, it can be defined as an attack in which the legitimate users of a website, server, network, system, or such other service or resource, are either denied access to the resources or are prevented from getting their requests fulfilled, by flooding that service or resource with bogus traffic that causes it to either collapse or go extremely slow.
In other words, it is an attack in which the principal aim of the assailant is to deny the rightful users access to a computer resource or service. While in DoS attack, a single computer is used to assault the victim; in a distributed-denial-of-service or DDoS attack, several computers are used in the assault. Such attacks, whether committed with a sole computer or an entire army of them, can cost the target a great deal of time and money.
The motives behind these attacks include: causing loss to the victim in order to satisfy some grudge; illegal financial gain; political opposition; adventurism; etc. The target may not only be a government or organisation, but also individuals. In the USA, in 2001, researchers from the University of California, San Diego, studying DoS attacks across the Internet, found that over twelve thousand such attacks were launched against more than five thousand targets in three one-week periods, making it over four thousand attacks per week. Home users, connecting to the Internet using dial-up or cable modems, were among the targets.
The early DoS attack technology made use of simple tools that generated and sent packets from a single source aimed at a single target. Over the years, tools have evolved that carry out single source attacks against multiple targets, multiple source attacks against single targets, and multiple source attacks against multiple targets. However, based on reported activity, multiple source attacks against multiple targets are rare. Two common methods for mounting a DoS attack are:
Packet flooding attacks: These attacks are aimed at overwhelming system resources. Kinds of packet flooding attacks include Smurf, Fraggle, Trinoo, Shaft, Trinity, TFN, Stacheldraht, Tribe Flood, etc.
Malformed packet attacks: These attacks are geared toward crashing a service. Kinds of malformed packet attacks include Syndrop, Tear Drop, New Tear, Ping of Death, Bonk, WinNuke, Chargen, Land, etc.
A DoS attack uses the same methods as a regular DoS attack, but it is launched from multiple sources. It enables the assailant to launch a DoS attack from many machines against a single target. In order to conduct a DDoS attack, the assailant hacks or breaks into several computers all over the internet. After having done this, he, first of all, takes measures to conceal the fact of the break in and to hide the traces of his subsequent actions. Then he installs a special process that enables him to remote control the hacked machine. This process accepts commands from over the internet, and, acting in accordance with those instructions, commences an assault over internet against some specified target.
Finally, he notes the address of the machine thus taken over. So as to minimize the risk of his getting caught, a careful hacker starts by breaking into a few computers, then using them to break into some more, and repeating this cycle for several steps. By the time he is ready to initiate the attack, he has taken over hundreds or thousands of computers and assembled them into a DDoS network: this means that all of them have the attack software installed on them, and the assailant knows their addresses. When the time comes for the attack, the assailant runs a single command, which sends command packets to all the hacked computers, directing them to launch the attack against a particular target. It must be noted that hacking is the first step in organizing a DDoS attack.
The above description may seem sophisticated, but the remote control programmes and the instructions for using them are easily available from a large number of pro-hacking websites since June 1999, from where they can be downloaded and used by anyone. The DDoS attacks, in 2000, against the biggest e-commerce sites, such as Amazon.com, eBay, Yahoo!, CNN, E*Trade, etc, demonstrate this point very well. It started with Yahoo! Inc. The website was attacked on February 6, 2000, due to which it was shut down for three hours. The next day, Buy.com Inc. was hit. By the same evening, eBay, Amazon.com, and CNN had gone dark. In the morning, the mayhem continued with online broker E*Trade and others. On February 9, 2000, CNN reported Ron Dick of FBI’s National Infrastructure Protection Center as saying, “A 15-year-old kid could launch these attacks. It doesn’t take a great deal of sophistication to do.” His words were prophetic. The person responsible for the attacks — described as “the most devastating assault on the World Wide Web in the history of the internet” — turned out to be a fifteen years old Canadian boy, alias “Mafiaboy.” Mafiaboy got arrested on April 15, 2000. On January 18, 2001, he confessed to fifty-six counts. According to an estimate, millions of dollars in potential revenue were lost as a result of this juvenile hacker’s handiwork. Yan Romanowski, Mafiaboy’s lawyer, conceded that his client was motivated by the challenge of knocking offline the sites that were considered most impregnable.
While it was just the sense of adventure and challenge that motivated a boy to launch the DoS attacks in 2000, organized criminal gangs have started to use DoS attacks in order to extort money from companies doing business online. Most of these gangs are based in Russia, China, Italy, and Brazil. Groups working in Eastern Europe have been launching continuous DoS attacks on business networks, costing the enterprises huge amounts in lost business and exposing them to blackmail. Several such cases surfaced in 2003.
In Britain, one betting site was brought down and then received a threat from perpetrators believed to be based in Eastern Europe that it would be attacked again unless tens of thousands of pounds were paid. Another British company was reported to have lost a million pounds a day in lost business as its service remained down. In September 2003, many gambling sites catering the US market were hit by DDoS attacks and extortion demands. Sites were asked to pay up to fifty thousand dollars in order to stay free from attacks for a year. According to an official of the Britain’s National Hi-tech Crime Unit, “The message to these companies is, ‘You pay and we leave you alone.’” He also said, “If the demand comes in for $40,000-50,000, compared to the loses they are suffering, there is an attraction for the companies to pay and hope it goes away. But there is nothing to say it will go away.”
By now it must be clear that DoS attacks are too real to be ignored and too imminent to be taken leniently. In order to discourage and prevent such malicious behaviour, most countries have declared DoS attacks to be an offence. In the USA, it can be a serious federal crime under the National Information Infrastructure Protection Act, 1996, with penalties that include several year of imprisonment.
In Pakistan, the Electronic Transactions Ordinance, 2002, criminalizes DoS attacks and prescribes the appropriate punishment. The Ordinance was promulgated by the President of Pakistan, and came into force on September 11, 2002. According to the preamble, its purpose is:
“To recognise and facilitate documents, records, information, communications and transactions in electronic form, and to provide for the accreditation of certification service providers, and for matters connected therewith and ancillary thereto.”
Though the term “denial-of-service” has not been used, but it does come within the purview of Section 37 (2). It says:
“Any person who does or attempts to do any act with intent to impair the operation of, or prevent or hinder access to, any information contained in any information system, knowingly that he is not authorised to do any of the foregoing, shall be guilty of an offence under this Ordinance.”
The punishment for the offence described in Section 37 (2) is prescribed in Section 37 (3):
“The offences under sub-section (1) and (2) of this section will be punishable with either description of a term not exceeding seven years or fine which may extend to one million rupees, or with both.”
Section 38 of the Ordinance declares:
“All offences under this ordinance shall be non-bailable, compoundable and cognisable.”
Regarding the prosecution and trial of offences, Section 39 says:
“No Court inferior to the Court of Sessions shall try any offence under this Ordinance.”
The Ordinance covers the cases of cross-border DoS attacks as well. Although, Section 1 (2), defining the extent of the Ordinance, provides, “It extends to the whole of Pakistan;” Section 32 states:
“The provisions of this Ordinance shall apply notwithstanding the matters being the subject hereof occurring outside Pakistan, in so far as they are directly or indirectly connected to, or have an effect on or bearing in relation to persons, information systems or events within the territorial jurisdiction of Pakistan.”
Thus, an individual can be prosecuted in Pakistan for carrying out a DoS attack, as long as there is one significant link with this country. For instance, launching a DoS attack against a computer in Washington from a computer in Islamabad is illegal, as is launching a DoS attack against a computer in Islamabad from a computer in Washington. Interestingly, using Pakistan as a staging post—- let us say, conducting a DoS attack against a computer in Washington from a computer in Seoul via Islamabad—- is also illegal and can be prosecuted in Pakistan.
More Elizabeth Clark: Distributed denial of service attacks
— Sam Costello: Nearly 4,000 DoS attacks occur per week
— Chris Nuttall: Crime gangs extort money with hacking threat
— Vijayan Jaikumar: Denial of service attacks on the rise
— Cyber Crime
— Denial of service faq
— E-commerce targeted by Blackmailers
.uk/1/hi/technology/3238230.stm>
19. What is a denial of service attack?
.com/learn/curve/column.html?ArticleID=115>
The writer
